Infrastructure Fitness and Design Simplicity for IBM Mobile Connect


Published on

Given at IBM Connect 2013, 31 January 2013

Most companies are unaware of IBM Mobile Connect - the hidden authentication jewel in the IBM Collaboration portfolio. No matter if you want to start with it or if you've learned in last year's conference how to setup IBM Mobile Connect - it's now time for optimization and tuning. This session will provide you a deep dive on different installation considerations and deployment design. Join to get real-world information about topics like how to install IMC on Linux 64bit, specific problems of different operating systems and how to setup IMC in High Availability. Last but not least we'll introduce to you the new capabilities of IMC 6.1.5 which enable it to be used with Sametime Mobile, Connections Mobile and Traveler High Availability.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Infrastructure Fitness and Design Simplicity for IBM Mobile Connect

  1. 1. BP406 Infrastructure Fitness and Design Simplicity for IBM Mobile Connect René Winkelmeyer | midpoints GmbH Bill Malchisky Jr. | Effective Software Solutions, LLC© 2013 IBM Corporation
  2. 2. Agenda Introduction What is IBM Mobile Connect? Deployment of IBM Mobile Connect Configuration of IBM Mobile Connect Troubleshooting, Pitfalls, and Tuning Wrap-up with Q&A2 © 2013 IBM Corporation
  3. 3. Legal first!  This slide presentation may contain the following copyrighted, trademarked and/or restricted terms: ● IBM® DB2®, IBM Domino®, IBM Notes®, IBM iNotes®, IBM AIX®, Redbooks®, Lotus®, POWER™, IBM System p™, IBM System x™, IBM Tivoli® ● Microsoft® Windows®, Microsoft® Active Directory® ● Red Hat®, Enterprise Linux®, Linux®, UNIX®, Java™, OpenLDAP®, SUSE®, SLES®, SLED® ● Apple®, Mac OS®, Mac®, iPad®, iPhone®, OS X® ● FORTUNE 500®, Android™, VMware® ● Intel®, Intel Xeon®, Intel Pentium® 4 ● Sun SPARC™, UltraSPARC™, Solaris™ ● AMD Opteron™3 © 2013 IBM Corporation
  4. 4. Legal disclaimer © IBM Corporation 2013. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM Lotus® Domino® IBM Lotus® Notes® IBM iNotes® IBM AIX® IBM DB2® Lotus® Redbooks® IBM Tivoli® Red Hat® is a registered trademark of Red Hat, Inc. SUSE, SLES, SLED are registered trademarks of Novell, Inc., in the United States and other countries. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Softerras trademarks, service marks, logos and any other Softerra-owned graphic symbols, design marks, images, buttons or icons (collectively, "Copyrighted Materials") found on this website or any other Internet webite owned and/or maintained by Softerra are the copyrighted property of Softerra. Apple, Mac, Mac OS, iPad, iPhone, and OS X are trademarks of Apple Inc., registered in the U.S. and other countries. Android is a trademark of Google Inc. FORTUNE 500® is a registered trademark of the FORTUNE magazine division of Time Inc. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Active Directory, and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Vmware is a registered trademark of Vmware, Inc. in the United States and/or other jurisdictions. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Intel, Intel Xeon, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. AMD Opteron is a trademark of Advanced Micro Devices Sun, Sun Microsystems, and Solaris, are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.Solaris is trademarked or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. All references to Foo, Inc. and refer to a fictitious company and are used for illustration purposes only. 4 © 2013 IBM Corporation
  5. 5. About Us René Winkelmeyer Senior Consultant at midpoints GmbH IBM Advanced Business Partner from Germany Specialized in RCP development, XPages development and building mobile infrastructures IBM Design Partner for Notes/Domino Next and Mobile OpenNTF Contributor ● File Navigator ( ● Generic NSF View Widget for IBM Connections5 © 2013 IBM Corporation
  6. 6. About Us... Bill Malchisky Jr. Chief Technical Architect and Managing Partner of Effective Software Solutions, LLC Noted regulatory compliance expert in the field ● Designed disclosure response solutions for FORTUNE 500, medium-sized, and small established regulated firms Written multiple articles on compliance and eDiscovery Speaker at 20+ Lotus related conferences/LUGs Co-authored two IBM Redbooks on Linux Domino specialty project experience IBM Design Partner for IBM Notes/Domino Next and Mobile6 © 2013 IBM Corporation
  7. 7. How To Get In Touch With Us? René ● Mail: / ● Blog: / ● Skype: muenzpraeger ● Twitter: muenzpraeger ● LinkedIn: ● XING: ● Slideshare: ● G+: Bill ● Mail: / ● Blog: ● Skype: FairTaxBill ● Twitter: @billmalchisky ● LinkedIn: ● Slideshare: © 2013 IBM Corporation
  8. 8. Quick Survey What’s your IBM Mobile Connect experience?8 © 2013 IBM Corporation
  9. 9. Agenda Introduction What is IBM Mobile Connect? Deployment of IBM Mobile Connect Configuration of IBM Mobile Connect Troubleshooting, Pitfalls, and Tuning Wrap-up with Q&A9 © 2013 IBM Corporation
  10. 10. What is IBM Mobile Connect?10 © 2013 IBM Corporation
  11. 11. What is IBM Mobile Connect?  Connection Manager (server-side) ● Software that runs on the server and controls access to enterprise resources Support for IP and non-IP network protocols ● Mobile Network Connections (MNC) for combinations of public/private networks  Distributed Administration (“Gatekeeper”) ● Java based administrator console that can run on various platforms Policy Management is an integral part of Administration  Mobility Client (client-side) ● Software that runs on the mobile device and interfaces to Connection Manager Mobility Client authenticates and establishes VPN with Connection Manager Includes toolkit for creating network-aware applications  HTTP Access (client-less) ● HTTP access services provide a SSL secured tunnel for HTTP communication to any HTTP Version 1.1 application11 © 2013 IBM Corporation
  12. 12. Lotus Mobile Connect 6.1.4 to IBM Mobile Connect 6.1.5  Native 64-bit support of Gateway for multiple platforms (Windows, Linux, AIX)  Support for Android 4 (VPN client)  HTTP Access Single URL support ● IBM Notes Traveler HA, IBM Connections Mobile, IBM Sametime Mobile  HTTP Access URL rewriting ● IBM Notes Traveler HA, IBM Connections Mobile, IBM Sametime Mobile  64-bit kernel support for Mac OS X 10.6 and 10.7, support for Mac OS X 10.812 © 2013 IBM Corporation
  13. 13. Example: Traveler HA without IBM Mobile Connect13 © 2013 IBM Corporation
  14. 14. Example: Traveler HA with IBM Mobile Connect 6.1.514 © 2013 IBM Corporation
  15. 15. Example: Full ICS Infrastructure with IBM Mobile Connect 6.1.515 © 2013 IBM Corporation
  16. 16. Benefits  Seamless integration with existing IBM Collaboration products  Simple, straightforward GUI-based setup  Client support for any main operating system ● Windows, Mac OS X, Linux, Android, iOS16 © 2013 IBM Corporation
  17. 17. Agenda  Introduction  What is IBM Mobile Connect?  Deployment of IBM Mobile Connect  Configuration of IBM Mobile Connect  Troubleshooting, Pitfalls, and Tuning  Wrap-up with Q&A17 © 2013 IBM Corporation
  18. 18. License Updates Positively Impact Customer Cost  Enterprise Domino license includes the IMC CALs  Still need the server license, based upon PVUs  New for Notes 9 – update to the latest IMC version  WebSphere ND9 entitlement changes ● WebSphere Edge components included with ND9 ● Permitted to use all components of WebSphere Network Deployment ND ● WAS ND provided to Domino Enterprise Server and Domino Collaboration Express licenses18 © 2013 IBM Corporation
  19. 19. Hardware Requirements – AIXSystem Name Platform Memory Disk SpaceIBM System p™ X64 POWER™ 7 w/ 4GB 1 GB local 2-4 processors 1 GB logging CM 100MB logging GK © 2013 IBM Corporation
  20. 20. Hardware Requirements – LinuxSystem Name Platform Memory Disk SpaceIBM System x™ Intel Xeon or equivalent 4GB 1 GB local Quad core suggested 1 GB logging CM Intel Pentium 4+ at 2GHz 100MB logging GKNote: Linux is supported on the Intel platform only © 2013 IBM Corporation
  21. 21. Hardware Requirements – SolarisSystem Name Platform Memory Disk SpaceSun SPARC Sun Blade 2055 4GB 1 GB logging CM UltraSPARC IIIi at 1.6GHz 100MB logging GK © 2013 IBM Corporation
  22. 22. Hardware Requirements – WindowsProduct Name Platform Memory Disk SpaceConnection Intel Xeon, Pentium 4, EM64T 4GB 1 GB disk space plusManager AMD Opteron 1 GB logging CMGatekeeper Pretty much any modern day system 100MB logging GK © 2013 IBM Corporation
  23. 23. Hardware Requirements – Mobility ClientSystem Name Platform – Memory | Disk SpaceAndroid If it can run Google Android 4+, then you are fineLinux Desktop Pretty much any 25MB disk space modern computerMac OS Any Macintosh computer capable of running Mac OS 10.6+Windows Pretty much any 5-10 MB disk space modern computerNokia Devices Nokia 9300, 9300i, 500KB disk space 9500 Communicator Nokia E50, E51, E55, E52, E60, E61, E61i, E62, E66, E70, E71, E71X, E72, E75 or E90 © 2013 IBM Corporation
  24. 24. Operating System Requirements – 6.1.5 Environment Connection Manger Gatekeeper Mobility Client AIX 5.3, 6.1, 7.0 6.1, 7.0 N/A Android N/A N/A Android 4.0+ Linux – Red Hat RHEL 4.0 ES/AS RHEL RHEL RHEL 5.0 ES/AS 4.0/5.0/5.4/6.0/ 4.0/5.0/5.4/6.0/ 6.2 RHEL 5.4 ES/AS WS/ES/AS WS RHEL 5.8 RHEL 6.1, 6.2, 6.3 Linux - SuSE SLES 9, 10, 11.0, SLES 9, 10, 11, SLED 9, 10, 11 11.1, 11.2, 11.3 11.1, 11.2, 11.3 OpenSuSE 12.1 SLED 11.0 Mac OS X N/A N/A OS X 10.6, 10.7, 10.8 Solaris Sun Solaris 9, 10 Sun Solaris 9, 10 N/A  Technote – © 2013 IBM Corporation
  25. 25. Operating System Requirements – 6.1.5, Continued Environment Connection Gatekeeper Mobility Client Manger Windows Server 2008 Server 2008 Windows 7 Server 2008 R2 Server 2008 R2 Windows Vista Server 2003 Server 2003 Windows XP Server 2003 R2 Server 2003 R2 Windows 2000 Windows 7 Windows Mobile 6.1 / 6.5 Windows Vista Windows Mobile V5 and V6 Windows XP Smartphones and Pocket PC Windows 2000 Windows Mobile 2003 / 2003 SE Pocket PC Editions  Technote – © 2013 IBM Corporation
  26. 26. Supported Storage Software - RDBMS Software Type Options RDBMS DB2 Universal Database 9.8 DB2 Universal Database 9.7** DB2 Universal Database 9.5 DB2 Express-C 9.5 DB2 Universal Database™ 9.1 DB2 Express-C 9.1 DB2 Universal Database™ Express Edition 9.1 Oracle 9.0.1,, or, with the DataDirect Connect ODBC Version 5.3 Oracle 10g Release 1 or 10g Release 2, with the DataDirect Connect ODBC Version 5.3 (Support for DataDirect drivers) Microsoft® SQL Server 2005 Microsoft SQL Server 2005 Express Microsoft SQL Server 2008 Microsoft SQL Server 2008 Express ** Notations next slide © 2013 IBM Corporation
  27. 27. RDBMS Notations DB2 Requires an ODBC RDB client to store session data DB2 9.7 on x64 Windows Server requires FP6 or better ● Resolves an installation verification check failure with the DB create wizard ONLY use DataDirect ODBC Oracle Wire Protocol Driver ● Client Mode Driver is UNSUPPORTED ● Phasing out going forward, included for Solaris support DB2 with Connection Manager – install either DB2 Administration Client or Application Development DB2 Client Full Details located here: ● © 2013 IBM Corporation
  28. 28. Supported Storage Software - Continued Software Type Options LDAP IBM Tivoli Directory Server 5.2 IBM Tivoli Directory Server 6.0 IBM Tivoli Directory Server 6.2 IBM Tivoli Directory Server 6.3 LDAP-BIND Secondary authentication on version 3 LDAP-compliant servers: IBM Domino, IBM Tivoli Directory Server, Microsoft Active Directory Virtualization POWER Hypervisor on AIX, Red Hat Enterprise Linux (RHEL), SuSE Linux Enterprise Server (SLES) VMWare Workstation on Windows, RHEL, and SLES VMware ESXi Server on Windows, RHEL, and SLES VMWare ESX Server on Windows, RHEL, and SLES RedHat Xen Virtualization (or current offering) on Red Hat Enterprise Linux and Windows Local File System Selected for test environments, proof of concept with less than 100 users © 2013 IBM Corporation
  29. 29. Agenda  Introduction  What is IBM Mobile Connect?  Deployment of IBM Mobile Connect  Configuration of IBM Mobile Connect  Troubleshooting, Pitfalls, and Tuning  Wrap-up with Q&A29 © 2013 IBM Corporation
  30. 30. Configuration options of IBM Mobile Connect 6.1.5  Single URL support and URL rewriting for IBM Notes Traveler, IBM Connections Mobile and IBM Sametime Mobile  Directory services (any LDAP v3 directory, also available on pre-6.1.5)  Secure SSL communication between IMC and backend server (also available on pre-6.1.5)30 © 2013 IBM Corporation
  31. 31. Configuring IBM Mobile Connect 6.1.5 – HTTP Access ServicesThe Service tab  This Service URL will be used on a device to connect to IBM Mobile Connect  Enter the directory and file name of the key database and the stash file31 © 2013 IBM Corporation
  32. 32. Configuring IBM Mobile Connect 6.1.5 – HTTP Access ServicesThe Server tab  The “Application server URL” defines the backend systems to which requests are getting forwarded ● The systems are separated by comma. ● There are keywords to define the type of the used backend system: TRAVELER, CONNECTIONS, SAMETIME INOTES ● IMC will look for specific path requests when using keywords; otherwise it would determine the type by itself which would cost some more cycles32 © 2013 IBM Corporation
  33. 33. Configuring IBM Mobile Connect 6.1 5 – HTTP Access ServicesThe Server tab  The “Scheduling algorithm” defines how load balancing and fail-over take place  Round robin: pure round robin distribution  Balanced: Requests are balanced based on active users or connections  Active/Passive: IMC uses one server or the other ● Enabling automatic fail-over with a value of “0” forces IMC to fail-over immediately.33 © 2013 IBM Corporation
  34. 34. Configuring IBM Mobile Connect 6.1 5 – HTTP Access ServicesThe Server tab  URL rewriting allows to rewrite internal URIs to external URIs. A dedicated rules files needs to be set up  Rewriting for Traveler isnt supported due to the encrypted stream34 © 2013 IBM Corporation
  35. 35. Configuring IBM Mobile Connect 6.1.5 – HTTP Access ServicesThe IBM Mobility tab  By enabling the “IBM Notes Traveler integration” checkbox, IBM Mobile Connect knows that requests to /traveler or /servlet/traveler are Traveler specific and will forward these requests to the defined TRAVELER servers.35 © 2013 IBM Corporation
  36. 36. Agenda  Introduction  What is IBM Mobile Connect?  Deployment of IBM Mobile Connect  Configuration of IBM Mobile Connect  Troubleshooting, Pitfalls, and Tuning  Wrap-up with Q&A36 © 2013 IBM Corporation
  37. 37. A Complete (x64) Build Is A Content Build  Running Linux? You must ensure needed i386 library files exist ● Otherwise Gatekeeper will crash  Required library files ● libstdc++ – Java prerequisite ● libXrender ● libXft ● libXmu ● libXtst  Ensure xinetd service running  GateKeeper stills fails to launch? ● Check in ~/.wgcfg for StdErr.txt which should missing compatibility libraries needing installation  Technote – ● “Gatekeeper may not install or run on a 64-bit Linux Distribution without the correct libraries”37 © 2013 IBM Corporation
  38. 38. Log Entries  "(The partner closed the socket before the protocol completed)" ● Error is benign ● Tends to happen a lot with browser traffic  LDAP FN search query returns this format - “” ● IMC local stored format – can ignore; everything is working fine  Failed connecting to your traveler server. SSL error, 414 (paraphrasing) ● IMC doesnt trust the certificate ● Users get rejected rather than prompted to accept the cert ● Self-signed certs are great for testing, but require extra configuration steps ● Import the self-signed certificate into the IMC key store – lmc.kdb ● Connect to server via browser → accept cert → export into DER format via the cert manager ● Next, use IMCs keymanager to add that cert as a Signer certificate ● Restart IMC to reload the lmc.kdb file ● Note: as the IMC is a server/daemon process, it is unable to respond to accept the cert38 © 2013 IBM Corporation
  39. 39. Log Entries – Continued  23910:-400946288 (Apr 13 2012/20:26:56.8244)[S-AUTH]AUTH_Server: authentiate rc=8 ● A common cause: credential failure on the admin bind for the DSS server ● IMC wont clear it until you change the admin ID/password or restart IMC ● Counter-intuitive but intelligent error trapping algorithm39 © 2013 IBM Corporation
  40. 40. If All Else Fails...  … and you need to re-install the IMC ● You do not need to install again DB2 ● Connection Manager initial configuration option presented, addresses this – "Erase existing database (including all tables and data) and create a new database"40 © 2013 IBM Corporation
  41. 41. LDAP Tips  When performing LDAP search queries, use the “-x” parameter to explicitly state simple authentication  LDAP bind authentication method contains a time-out ● Anything longer than 10 seconds will cause many problems ● Best practice – Bind and search should be less than 500 msecs  Debugging LDAP API issues (on Linux) ● Stop IMC with wgstop ● Start IMC with LDAP_DEBUG=65535 wgstart >ldap-debug.txt 2>&1  To authenticate Notes and Internet Explorer LDAP clients via credentials ● Enable name and password authentication; anonymous is a cultural choice ● Source: Details located in the Domino Info centers Troubleshooting section ● ● %2FH_NAME_AND_PASSWORD_AUTHENTICATION_FAILS_FOR_LDAP_CLIENTS_CONN ECTING_TO_THE_LDAP_SERVICE_STEPS.html41 © 2013 IBM Corporation
  42. 42. Tips with Certificates When disabling SSO, clear cookies in your browser after making the change Need the Mail server certificates for iNotes if the mail lies on a different server ● Relevant for test environments and during cut-over ● Only for SSL communication to back-end42 © 2013 IBM Corporation
  43. 43. Local storage on 64-bit operating systems with IMC 6.1.5  IBM has skipped support for local storage with IMC 6.1.5 on 64-bit operating systems  You have to setup an appropriate RDBMS when you plan to install IMC 6.1.5 on 64-bit or to migrate an existing LMC 6.1.4 to 64-bit  Technote – ● © 2013 IBM Corporation
  44. 44. URL Regex rewriting capabilities or restricted paths  You cant rewrite URLs based on regex or restrict access to specific paths  That means i. e. that you cant prevent access to the LotusTraveler.nsf44 © 2013 IBM Corporation
  45. 45. Availability Index checks for Traveler  IMC doesnt check the Availability Index of Traveler  IMC queries its internal database for user assignments and assigns new users to the server with least number of assignments and user based affinity45 © 2013 IBM Corporation
  46. 46. Using MS SQL as database server for IMC  The account used to connect to the MS-SQL server needs the right to create databases  The Installation Wizard provided with IBM Mobile Connect 6.1.5 does not connect to existing databases but tries to create new ones  After installation, the right to create databases can be removed from this user account46 © 2013 IBM Corporation
  47. 47. Uninstallation  The uninstallation of IBM Mobile Connect may delete the ConnectionManager folder  Backup your /conf subfolder, your exported LTPA token and your SSL Key-DBs if youre storing them in the ConnectionManager folder!47 © 2013 IBM Corporation
  48. 48. Agenda  Introduction  What is IBM Mobile Connect?  Deployment of IBM Mobile Connect  Configuration of IBM Mobile Connect  Troubleshooting, Pitfalls, and Tuning  Wrap-up with Q&A48 © 2013 IBM Corporation
  49. 49. Additional Resources – Part I  IMC/LMC Wiki – ●  IMC Information Center and Version 6.1.5 Documentation – ●  IMC Forum – ●  Enabling secure, remote access to IBM Lotus iNotes using IBM Lotus Mobile Connect – ●  IMC Documentation - ●  IMC Features and Benefits - ● © 2013 IBM Corporation
  50. 50. Additional Resources – Part II  LMC: Providing secure remote access to Traveler servers ●  LDAP Browser – SofterraTM - ● Read-only browser is FREE; Administrator tool is commercial ● Officially supports Lotus Domino, IBM, Red Hat, OpenLDAP, Microsoft Active Directory, and seven more  LMC Fix List – 6.1.4 ●  Collecting Core Dumps ● © 2013 IBM Corporation
  51. 51. Related Session  SHOW101 – Making IBM Traveler Highly Available - Part 2: Extending and Securing The Network ● Speakers: René Winkelmeyer - midpoints; Detlev Pöttgen – midpoints ● Room: Swan Osprey 1 & 2 ● Track 11: Show n Tell ● Date: Tuesday, 29 January (for reference) ● Covers installation of IMC as a compliment to this session51 © 2013 IBM Corporation
  52. 52. Linuxfest Returns!Back for another informative all-inclusive Linux session in 2013Join Bill Malchisky, Wes Morgan, and guest Daniel Nashed!When: TODAY, Thursday, 31 JanuaryWhere: Dolphin Hotel - Sum Chows (Next to Picabu, Level 1)Time: 12:15 - 1:30 pmOther: Bring your box lunch!We’re not in the program guide, so mark your calendar, orSee our listing in the ConnectOsphere agenda Notes app**Special thanks to Red Hat for providing our session swag!**52 © 2013 IBM Corporation
  53. 53. Q&A  Now and here ● Get the mic!  Later ● Via any social media – see contact details at the beginning of this slide deck  (Updated) Slides will be on our blogs and on SlideShare53 © 2013 IBM Corporation